Global Governance Insights on Emerging Risks

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

high-profile data breaches,

distributed denial of services (DDoS) attacks,

and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

the EU GDPR,

China’s new Cyber Security Law,

and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

financial services,

telecommunications

and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

aw enforcement,

regulatory agencies and recovery service providers

including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

unique business model,

legacy IT,

supplier and partner relationships,

and geographical scope.”

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

Click for News:

September 13, 2019

FCA | Sep 11, 2019 Speech by Christopher Woolard, Executive Director of Strategy and Competition at the FCA, delivered at the Cambridge Centre for Alternative Finance annual conference, Judge Business School. Highlights: The UK has led the rest of the world with developments like the regulatory Sandbox, we are very proud of what has been achieved through it. Early engagement is incredibly valuable for monitoring, supervisory and policy purposes. Working with innovative firms helps us achieve a better bird’s-eye view, enhancing our understanding when the overall landscape is blurry and ­changing quickly. 'Stablecoin' is a term that has been widely adopted by industry, but we do not take it to be a distinct category of cryptoassets. Something labelled as a 'stablecoin' could sit within or outside of our regulatory perimeter. Note: this is the speech as drafted and may differ from the delivered version. See: FCA confirms new rules for P2P platforms Last month, Facebook announced its plans for Libra, the stablecoin it is planning to launch in conjunction with a number of payment and tech firms. As has been widely reported, along with other regulators and central banks, we have been discussing their plans with Facebook. If this comes ...Read More

September 13, 2019

NCFA Canada | Sep 13, 2019 JOIN US ON A STORYTELLING JOURNEY EVERY FRIDAY. Sep 13: Funding is Female with Jill Earthy EP37 GUEST: JILL EARTHY, Head of Female Funders (Linkedin) HOST: Manseeb Khan, Fintech Friday's show host BIO: Jill Earthy is an entrepreneurially minded leader who believes diversity drives innovation. As Head of Female Funders (powered by Highine BETA), she is empowering female leaders to become investors in early stage companies. Her background includes being an entrepreneur, supporting entrepreneurs in various leadership roles and working as Chief Growth Officer of FrontFundr, an online investment platform. She is a community leader and active mentor, currently serving on the national Board of Sustainable Development Technology Canada and as Board Chair of the Women’s Enterprise Centre in BC, and as Co-Chair of We for She. Jill was recently recognized by the Canadian Centre for Diversity and Inclusion award as a Community Champion, by Business in Vancouver as an Influential Woman in Business and by WXN as one the Top 100 most powerful women in Canada in 2019. About this episode: On this episode of NCFA'S Fintech Fridays Podcast, our host Manseeb Khan sits down with Jill Earthy the Head of Female Funders. The talk about what ...Read More

September 13, 2019

TechCrunch | Kate Clark | Sep 12, 2019 Affirm, founded by PayPal’s Max Levchin, is said to be raising as much as $1.5 billion in a combination of debt and equity, according to people with knowledge of the company’s fundraising activities. Josh Kushner’s New York venture capital firm Thrive Capital is said to be leading the financing, with participation from the San Francisco outfit Spark Capital. Affirm declined to comment. Representatives of Thrive and Spark, existing Affirm investors, have not responded to a request for comment. Sources familiar with Affirm, which gives consumers an alternative to personal loans and credit by financing online purchases at point-of-sale, presume the round will be made up largely of a line of credit from a large financial institution, known as a warehouse facility. Affirm recently raised a $300 million Thrive-led Series F round in April at a valuation of $3 billion. Fintech companies focused on payments and lending, however, require a vast amount of capital to sustain operations. Those capital requirements coupled with the frothiness of the venture capital market justify this additional cash infusion. To date, Affirm has raised $1.03 billion in funding from Ribbit Capital, Founders Fund, Andreessen Horowitz, Khosla Ventures, Lightspeed ...Read More

September 12, 2019

Le Monde with AFP | Sep 12, 2019 Bruno Le Maire expressed his hostility towards this cryptocurrency project, saying that "the monetary sovereignty of states is at stake" Finance Minister Bruno Le Maire announced on Thursday (September 12th) that France was refusing to authorize the development "on European soil" of libra, the cryptocurrency that Facebook wants to launch in 2020. "Considerable financial disorder" "The monetary sovereignty of states is at stake," said the minister at the opening of a conference of the Organization for Economic Co-operation and Development (OECD) dedicated to the challenges of cryptocurrencies - without specifying, however, what concrete measures he wanted engage to prevent the spread of libra in Europe. See: Facebook’s Libra Cryptocurrency: Everything We Know In his speech, Bruno Lemaire described as "systemic" the risks that could result from this "possible privatization of a currency (...) held by a single actor that has more than 2 billion users on the planet" . "Any failure in the functioning of this currency, in the management of its reserves, could create considerable financial disorders , " justified the Mayor, also fearing that the libra is replacing the national currency in the States where the currency is weak or ...Read More

September 12, 2019

CNBC | Bob Pisani | Sep 10, 2019 Key Points The head of the SEC says more needs to be done to make it easier for companies to go public. Jay Clayton says his office is taking a “fresh look” at allowing Main Street investors access to the private capital markets. The head of the SEC says more needs to be done to make it easier for companies to go public and that his office is taking a “fresh look” at allowing Main Street investors access to the private capital markets. In a speech to the Economic Club of New York on Monday, SEC Chairman Jay Clayton said the lack of more IPOs and the inability of most of the Main Street investing public to access private markets was a “growing concern.” Clayton addressed what he called the “two segments” in capital markets: the public markets, and private ones, including private equity and venture capital investments. See: The Solution To The Fintech IPO Shortage “Twenty-five years ago, the public markets dominated the private markets in virtually every measure,” he said. “Today, in many measures, the private markets outpace the public markets, including in aggregate size.” Clayton wants to make the ...Read More

September 12, 2019

Nesta UK | Rosalyn Old and Johnathan Bone | Sep 4, 2019 Earlier in May 2019, Nesta commissioned a report called 'Taking Ownership: Community Empowerment through Crowdfund Investments' that looked at how community-led projects have the power to transform local areas socially, economically and environmentally and how institutions such as local governments, municipal authorities and foundations, can help community-led initiatives by making the most of new investment crowdfunding models (eg community shares and bonds). Key Findings Investment crowdfunding has been used to fund a broad range of local assets, including but not limited to, saving local shops and pubs from closure, creating new community centres and art spaces, and expanding leisure facilities and infrastructure projects. Potential opportunities in using investment crowdfunding for community-led initiatives include helping to fund projects that would otherwise struggle to access finance elsewhere, increasing the use of and volunteering for community initiatives, and strengthening local resilience and self-determination by bringing communities together to improve their area. The main challenges for community organisations raising money in this way include gaining access to assets to buy or use on a temporary basis, transitioning from grassroots fundraising to implementing a project and avoiding negative impacts on diversity and inclusion ...Read More

September 11, 2019

NCFA Canada on behalf of our partner's Lending Loop | Sep 11, 2019 HAVE YOU EVER SEEN A CHESHIRE CAT SMILE? Well they deserve it. Back in October 2015, NCFA made this introductory video with Cato Pastoll, CEO and Co-Founder of Lending Loop, about a peer to peer lending marketplace for small businesses model that was new to Canada but was achieving significant growth internationally. The question and opportunity was back then: why not here in Canada? A question that many of us ask ourselves, ask the community and point fingers at strict regulations and high operating costs. Well fast forward several years and growth obstacles later, and the Lending Loop story continues to impress with their latest milestone of lending over $50 million to deserving small businesses to help them grow and expand operations while providing retail and accredited investors direct access to a wide range of lending and investment options, a robust community and the chance to strengthen Canadian small business - here here! The early vision... Brandon Vlaar, Co-founder and CTO of Lending Loop sharing their good news! CONGRATS to the entire Lending Loop Team for achieving this latest milestone. We've 'got your back' and look forward ...Read More

September 11, 2019

NCFA Guest Post | Sep 9, 2019 The world was shook when online money was first introduced. Some people didn’t like the idea. They’d prefer having something tangible, something that they can actually see and touch to use as currency. Some people were positive about the new experience. They believe that it can certainly make life more convenient. But hey, we’re now in 2019 and online currency is still widely in use. In fact, its uses have expanded way more since it was first introduced (read more). One of the most popular and controversial of its time was BTC or Bitcoin. Even without studying cryptocurrencies, you’ve probably heard this term once or twice before. You may have come across it in the internet or someone may have encouraged you to try trading it. After all, when cryptocurrency was first brought to light, many people saw its potential in the trading market. And it has been making noise ever since. See: New Regulatory Framework for Canadian Retail Payments Coming in 2019 At first, Bitcoin was surrounded with a lot of controversy – and of course, a lot of doubt. People were scared of exchanging real world money for something that you ...Read More

September 11, 2019

Holt Accelerator | Samah El Falah | Sep 11, 2019 Holt Deal Day event series are seeking senior representatives of financial institutions, or fintech investors and experts to attend Holt’s Deal Day, taking place at Vancouver (Sept. 20th), Toronto (Sept. 23rd), Waterloo (Sept. 27th), Montreal (October, 2nd). Don’t miss out on the opportunity to interact with eight up & coming Fintech stars who will surely make a difference in Canada and beyond. As an investor, corporate or expert interested in Fintech, our Deal Days offer you an insider’s view of the upcoming trends and current challenges the industry is facing. What do the Deal Days consist of? Coffee / Registration (30 minutes) Canada Fintech Presentation by Holt (15 minutes) Presentation on the current Fintech Ecosystem. The challenges & insights we gathered about 3 core fintech areas: Cybersecurity/Data Protection, Wealth Management (including Digital Assets), & Lending. 10 table mini-breakout session (30 minutes) Detailed roundtable discussions surrounding one of the topics covered during the Holt presentation. Speed-Dating (2 hours and 30 minutes) You will have the opportunity to see the 2019 cohort pitch after being part of the Accelerator program for a month. Just like our Selection Days, each pitch will end ...Read More

September 11, 2019

Reuters | Tom Wilson | Sep 11, 2019 LONDON (Reuters) - “Hi guys, could you please show me a firm bid for 100 bitcoin?” a seller texts on Skype. Joel Fruhman, right, and Dan Fruhman, directors of BCB Group pose for a photograph in London, Britain August 29 2019. REUTERS/Simon Dawson “One sec. $10270.” Two minutes later: “Sorry guys, that was an old order from Friday when skype wasn’t working.” “I really think we should get off skype. Bad things could happen. Someone is going to make an expensive mistake.” See: New money-laundering rules change everything for cryptocurrency exchanges A messaging exchange over a potential $1 million deal, between a European asset manager looking to sell bitcoin and broker Joel Fruhman, illustrates the casual and often chaotic nature of cryptocurrency dealmaking. Trades involving hundreds of thousands, or millions, of dollars are routinely struck via brief chats on apps like Skype, WhatsApp, WeChat or Zoom, often with scant certainty over the identities of participants or the legal basis of agreements. “We’d end up in a Zoom call with about five ‘introducers’ - we didn’t really know who any of them were,” said Fruhman, a physicist by training who started a cryptocurrency ...Read More

The National Crowdfunding & Fintech Association of Canada (NCFA Canada) is a cross-Canada non-profit actively engaged with cryptocurrency, blockchain, crowdfunding, alternative finance, fintech, P2P, ICO, STO, and online investing stakeholders globally. NCFA Canada provides education, research, industry stewardship, services, and networking opportunities to thousands of members and subscribers and works closely with industry, government, academia, community and eco-system partners and affiliates to create a strong and vibrant crowdfunding and fintech industry. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit: ncfacanada.org